CSA - CAN/CSA-ISO/IEC/IEEE 8802-1X:18 AMD 2
Telecommunications and exchange between information technology systems — Requirements for local and metropolitan area networks — Part 1X: Port-based network access control AMENDMENT 2: YANG data model
| Organization: | CSA |
| Publication Date: | 1 January 2021 |
| Status: | inactive |
| Page Count: | 148 |
| ICS Code (Networking): | 35.110 |
scope:
The scope (1.1) of this standard is addressed by detailed specification of the following:
a) The principles of port-based network access control operation, identifying the protocol components that compose a port-based network access control implementation (Clause 6).
b) A PAE component, that supports authentication, authorization, and the key agreement functionality required by IEEE Std 802.1AE to allow a MAC Security Entity (SecY) to protect communication through a port (6.3, Clause 12).
c) A Port Access Controller (PAC) component, that controls communication where the attached LAN is deemed to be physically secure and provides point-to-point connectivity (6.4).
d) The key hierarchy used by the PAE and SecY (6.2).
e) The use of EAP by PAEs to support authentication and authorization using a centrally administered Authentication or AAA Server (Clause 8).
f) An encapsulation format, EAPOL, that allows EAP Messages and other protocol exchanges to support authentication and key agreement to be carried directly by a LAN MAC service (Clause 11).
g) A MAC Security Key Agreement protocol (MKA) that the PAE uses to discover associations and agree the keys used by a SecY (Clause 9).
h) An EAPOL Announcement protocol that allows a PAE to indicate the availability of network services, helping other PAEs to choose appropriate credentials and parameters for authentication and network access (Clause 10).
i) Requirements for management of port-based access control, identifying the managed objects and defining the management operations for PAEs (12.9).
j) SMIv2 MIB objects that can be used with SNMPv3 to manage PAEs (Clause 13).
k) YANG configuration and operational state models for PAE and PAE System components (Clause 14).
The use of port-based network access control in a number of applications is described (Clause 7) to illustrate the use of these components and the requirements taken into account in their specification. To facilitate migration to this standard, Annex F (informative) uses the same concepts to describe the architectural modeling of unsecured multi-access LANs, a widely deployed form of authenticated port-based network access control that does not meet the security requirements of this standard. Administrative connectivity to unauthenticated devices, as required for use of industry standard 'Wake-on-LAN' (WoL) protocols, is described for the scenarios of Clause 7; Annex E (informative) provides background information on WoL.
This standard defines conformance requirements (Clause 5) for the implementation of the following:
l) Port Access Entities (PAEs)
m) Port Access Controllers (PACs)
Annex A provides PICS (Protocol Implementation Conformance Statement) Proformas for completion by suppliers of implementations that are claimed to conform to this standard.
The basic architectural concepts, such as 'port', on which this standard relies are reviewed in IEEE Std 802.1AC.
This standard uses and selects options provided by EAP and AAA protocol specifications, but does not modify those specifications (see Clause 2 for references). Annex D (informative) provides EAP and RADIUS usage guidelines.
The specification and conformance requirements for association discovery and key agreement for IEEE 802.11 Wireless LANs are outside the scope of this standard (see IEEE Std 802.11). That standard makes use of the PAE specified by this standard.
Document History